Stop Checkout Actions from persisting credentials

By default, the Checkout Actions persists the credentials in the
environment. As our Actions will also run for PRs made from a fork, we
don't want to persist credentials in such a way.

I've also:
- Ported a comment on PIP_USER and pre-commit from the azure configs
- Removed unnecessary id for the pre-commit caching step

Signed-off-by: Sebastiaan Zeeff <[email protected]>

1 files changed, 7 insertions, 2 deletions

diff --git a/.github/workflows/lint-test-build.yml b/.github/workflows/lint-test-build.yml
index 05783e813..9101574ae 100644
--- a/.github/workflows/lint-test-build.yml
+++ b/.github/workflows/lint-test-build.yml
@@ -33,8 +33,12 @@ jobs:
       - name: Add custom PYTHONUSERBASE to PATH
         run: echo '${{ env.PYTHONUSERBASE }}/bin/' >> $GITHUB_PATH
 
+      # We don't want to persist credentials, as our GitHub Action
+      # may be run when a PR is made from a fork.
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Setup python
         id: python
@@ -59,14 +63,15 @@ jobs:
 
       - name: Pre-commit Environment Caching
         uses: actions/cache@v2
-        id: pre_commit_cache
         with:
           path: ${{ env.PRE_COMMIT_HOME }}
           key: "precommit-0-${{ runner.os }}-${{ env.PRE_COMMIT_HOME }}-\
           ${{ steps.python.outputs.python-version }}-\
           ${{ hashFiles('./.pre-commit-config.yaml') }}"
 
-      # We will not run `flake8` here, as we will use a separate flake8 action
+      # We will not run `flake8` here, as we will use a separate flake8
+      # action. As pre-commit does not support user installs, and we don't
+      # really need it, we set PIP_USER=0.
       - name: Run pre-commit hooks
         run: export PIP_USER=0; SKIP=flake8 pre-commit run --all-files